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Executive summary 


Audit Methodology 


The Information Commissioner is responsible for enforcing and promoting compliance with data protection legislation, as well 
as the Freedom of Information Act 2000 (FOIA) and Environmental Information Regulations (EIR). Section 47 of the FOIA 
provides provision for the Commissioner to assess whether a public authority is following good practice, including compliance 
with the requirements of this Act and the provisions of the codes of practice under sections 45 and 46. The ICO sees auditing 
as a constructive process with real benefits for controllers and so aims to establish a participative approach. 


The purpose of the audit is to provide the Information Commissioner and the Department of Health (DoH) with an 
independent assurance of the extent to which the information handling practices of DOH, within the scope of this agreed 
audit, conform with the codes of practice under sections 45 and 46 of the FOIA. 


DoH agreed to a consensual audit by the ICO of its compliance with the FOIA. An introductory telephone meeting was held on 
the 5 October 2020 with representatives of DoH to discuss the scope of the audit. 


It was agreed that the audit would focus on the following area(s): 


Freedom of Information (FOI) The extent to which the information handling practices of DoH, within the scope of this 
agreed audit, conform with the codes of practice under sections 45 and 46 of the FOIA. 
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Audits are conducted following the Information Commissioner's data protection audit methodology. The key elements of this 
are normally a desk-based review of selected policies and procedures, on-site visits including interviews with selected staff, 
and an inspection of selected records. 


However, due to the outbreak of Covid-19, and the resulting restrictions on travel, this methodology was no longer 
appropriate. Therefore, DOH agreed to continue with the audit on a remote basis. A desk-based review of selected policies 
and procedures and remote telephone interviews were conducted from 2 February 2021 to 12 February 2021. The ICO would 
like to thank DoH for its flexibility and commitment to the audit during difficult and challenging circumstances. 


Where weaknesses were identified recommendations have been made, primarily around enhancing existing processes to 
facilitate compliance with the relevant legislation. In order to assist DOH in implementing the recommendations each has 
been assigned a priority rating based upon the risks that they are intended to address. The ratings are assigned based upon 
the ICO’s assessment of the risks involved. DoHs priorities and risk appetite may vary and, therefore, they should undertake 
their own assessments of the risks identified. 


Audit Summary* 


Assurance 


Rating Overall opinion 
There is a reasonable level of assurance that processes and 
procedures are in place and are delivering freedome of 
Freedom of Information information compliance. The audit has identified some scope 
for improvement in existing arrangements to reduce the risk 
of non-compliance with the relevant legislation. 


Audit Scope Area 


*The assurance ratings above are reflective of the remote audit methodology deployed at this time and the rating may not necessarily represent a comprehensive 
assessment of compliance. 
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Priority Recommendations 


All scope areas 
Breakdown of priority recommendations 


= Low 
= Medium 
m High 


Freedom of Information 
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İCO. 


Information Commissioner's Office 
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Areas for Improvement 


The DOH should review its FOI and Records Management Policies to ensure they reflect the Information Governance teams 
reporting structure to senior management. 


The DoH should implement mandatory FOI and Records Management training that includes induction and refresher training 
programmes. Pass rates should also be tracked and reported to senior management. 
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Disclaimer 


The matters arising in this report are only those that came to our attention during the course of the audit and are not 
necessarily a comprehensive statement of all the areas requiring improvement. 


The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in 
place rest with the management of DOH. 


We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person 
or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in 
connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss 
occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any 
information contained in this report. 


This report is an exception report and is solely for the use of DOH. The scope areas and controls covered by the audit have 
been tailored to DOH and, as a result, the audit report is not intended to be used in comparison with other ICO audit reports. 
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